Re: [Acme] Issue: Allow ports other than 443
Hugo Landau <hlandau@devever.net> Tue, 24 November 2015 10:17 UTC
Return-Path: <hlandau@devever.net>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF8601B2F1E for <acme@ietfa.amsl.com>; Tue, 24 Nov 2015 02:17:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.586
X-Spam-Level:
X-Spam-Status: No, score=-2.586 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uNJ9itS-7Fef for <acme@ietfa.amsl.com>; Tue, 24 Nov 2015 02:17:20 -0800 (PST)
Received: from umbriel.devever.net (umbriel.devever.net [149.202.51.241]) by ietfa.amsl.com (Postfix) with ESMTP id 3B2391B2F1D for <acme@ietf.org>; Tue, 24 Nov 2015 02:17:20 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by umbriel.devever.net (Postfix) with ESMTP id 2CF681C0D8 for <acme@ietf.org>; Tue, 24 Nov 2015 11:17:19 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=devever.net; h= user-agent:in-reply-to:content-disposition:content-type :content-type:mime-version:references:message-id:subject:subject :from:from:date:date:received:received; s=mimas; t=1448360239; x=1466549600; bh=UywG0DCv3GyDU7kYK7AYTwCZkI/m62P2b0eeH76pvEM=; b= LZ9a40oN67/DD9f5C2hcd1pEocmPbkCVFKDhHiUlVa/8Z2tPxkjaItjvPRaWWEZJ KwqmNcGfTiYDl+Z9kok7VBrYY+5c/5CC1h52oOlWnjO/c53AtCJsw18xNPkLdaNa TNtlyldxNzAwJw1XiN9tzKohlzGnaSkqSCzv1Xe/RfSvw/RpKsZ5J/C5QbycAEu+ Cr38coOXmHcpcYbOqipIh2jni2Smc4YOSTLYv/muoLY79h7tW4pQnN19FziOek0f X77iCCDDcFav1TGhf86dqnWgdYsQ+vesNqLmNLGNSuiwxSjsEB4pZSOqWevb63x2 VCh/tfingXEKhj11BjgkLg==
Received: from umbriel.devever.net ([127.0.0.1]) by localhost (umbriel.devever.net [127.0.0.1]) (amavisd-new, port 10026) with LMTP id s_tlOrzbH3c6 for <acme@ietf.org>; Tue, 24 Nov 2015 11:17:19 +0100 (CET)
Received: from andover (localhost [127.0.0.1]) by umbriel.devever.net (Postfix) with SMTP id F075D1C081 for <acme@ietf.org>; Tue, 24 Nov 2015 11:17:18 +0100 (CET)
Date: Tue, 24 Nov 2015 10:17:18 +0000
From: Hugo Landau <hlandau@devever.net>
To: acme@ietf.org
Message-ID: <20151124101718.GA18565@andover>
References: <5e9b22a3942d4a39981878b13e4a7752@usma1ex-dag1mb1.msg.corp.akamai.com> <0630035C-E4F6-41AA-A339-7101B448F0FA@vigilsec.com> <CABkgnnUxSwMmOR=QVE-gMvj9dHW6Tk2Z=EO7RDx6E5zVAp_SrQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CABkgnnUxSwMmOR=QVE-gMvj9dHW6Tk2Z=EO7RDx6E5zVAp_SrQ@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/33w4bud4-EpfaEg8GjojkbByGIc>
Subject: Re: [Acme] Issue: Allow ports other than 443
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2015 10:17:22 -0000
On Mon, Nov 23, 2015 at 09:52:07AM -0800, Martin Thomson wrote: > Could we ask IANA for a reserved system port (<1024)? Then it would > be possible for an ACME client to operate without disturbing running > services. I wrote this on the github issue, but should have posted it here: It seems like there is a clear roadmap for doing this securely: - Register a new port <1024 with IANA, exclusively for the purposes of ACME challenge. The semantics of this port is that control of it is deemed to constitute control of the system. - Might want to require that TLS be used on this port; otherwise you have the possibility that either HTTP or TLS (either for HTTP or DVSNI) is running on the port. These sorts of ambiguities should be avoided. It also allows this "hostmaster" port to be extended for other purposes at a later time via ALPN. - Allow either port 443 or that port to be used. - Arguably, one should not even allow the use of port 443 if this port is open. Note that use of 443 has already proven a problem once with the vulnerabilities in the dvsni challenge mechanism w.r.t. common hosting configurations.
- [Acme] Issue: Allow ports other than 443 Salz, Rich
- Re: [Acme] Issue: Allow ports other than 443 Russ Housley
- Re: [Acme] Issue: Allow ports other than 443 Martin Thomson
- Re: [Acme] Issue: Allow ports other than 443 Douglas Calvert
- Re: [Acme] Issue: Allow ports other than 443 Martin Thomson
- Re: [Acme] Issue: Allow ports other than 443 Randy Bush
- Re: [Acme] Issue: Allow ports other than 443 Peter Eckersley
- Re: [Acme] Issue: Allow ports other than 443 Martin Thomson
- Re: [Acme] Issue: Allow ports other than 443 Randy Bush
- Re: [Acme] Issue: Allow ports other than 443 Hugo Landau
- Re: [Acme] Issue: Allow ports other than 443 Eliot Lear
- Re: [Acme] Issue: Allow ports other than 443 Randy Bush
- Re: [Acme] Issue: Allow ports other than 443 Kathleen Moriarty
- Re: [Acme] Issue: Allow ports other than 443 Yoav Nir
- Re: [Acme] Issue: Allow ports other than 443 Eliot Lear
- Re: [Acme] Issue: Allow ports other than 443 Niklas Keller
- Re: [Acme] Issue: Allow ports other than 443 Eliot Lear
- Re: [Acme] Issue: Allow ports other than 443 Niklas Keller
- Re: [Acme] Issue: Allow ports other than 443 Martin Thomson
- Re: [Acme] Issue: Allow ports other than 443 Peter Eckersley
- Re: [Acme] Issue: Allow ports other than 443 Phillip Hallam-Baker
- Re: [Acme] Issue: Allow ports other than 443 Eliot Lear
- Re: [Acme] Issue: Allow ports other than 443 Stephen Farrell
- Re: [Acme] Issue: Allow ports other than 443 Yoav Nir
- Re: [Acme] Issue: Allow ports other than 443 Stephen Farrell
- Re: [Acme] Issue: Allow ports other than 443 Rob Stradling
- Re: [Acme] Issue: Allow ports other than 443 Yoav Nir
- Re: [Acme] Issue: Allow ports other than 443 Darren J Moffat
- Re: [Acme] Issue: Allow ports other than 443 Eliot Lear